AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
#Power
 View Only

  • 1.  Disable CCAP/EAL+4 option

    Posted Thu October 05, 2006 08:51 AM

    Originally posted by: SystemAdmin


    My customer have enabled the CCAP feature at the installation of a system 5.3

    which i sthe good way to disable this option .

    Thanks .

    Patrick.jaeger
    #AIX-Forum


  • 2.  Re: Disable CCAP/EAL+4 option

    Posted Thu October 05, 2006 12:21 PM

    Originally posted by: nh4aix


    It is my understanding that it can not be disabled. It is only available to be selected or not selected at install time.

    http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.security/doc/security/capp_sys_installing.htm
    #AIX-Forum


  • 3.  Re: Disable CCAP/EAL+4 option

    Posted Thu October 05, 2006 04:16 PM

    Originally posted by: woofer


    In other words, reinstall.
    #AIX-Forum


  • 4.  Re: Disable CCAP/EAL+4 option

    Posted Fri October 06, 2006 01:16 PM

    Originally posted by: SystemAdmin


    There is a way to take a machine out of CAPP mode. You can reset the TCB_STATE. There is a script called CC_EVALify.sh that is run to set the CAPP settings. You can review that script to determine if there are default settings you want to restore.

    If you want to take a system out of CAPP mode to update it, the CC_EVALify.sh can be rerun to restore the CAPP settings.

    Here is additional information from a techdoc on how to upgrade a CAPP system:

    There is no way to force install this bos.rte upgrade on a CAPP enabled system other than to reinstall the operating system without the CAPP enabled.
    Procedure
    This techdoc describes a three step procedure that involves making some changes on the system and then performing updates, without having to reinstall the system.
    1. Execute the following command to come out of CC mode to apply patches. However note that once this is done, the system will be no longer be in Common Criteria Certified mode. The customers need to check with their local system evaluators to review whether this is an acceptable environment.
    The following command modifies the ODM state so that the updates can be applied.
    1. odmchange -o PdAt -q "attribute=TCB_STATE" odm.data
    2. Apply patches using installp
    3. Execute "set_state_to_CC" script (shown below) to bring back the system to restrictive mode. Note that this will not bring back the system to CC certified mode, but just brings it back to CC certified equivalent restrictive mode. This script will set the system install mode to CC_EVAL and could be executed to re-do some of the CC related steps on AIX to bring the system back close to a Common Criteria certified mode with regards to checks and bounds. However it should be noted that this will never make the system to be considered as a CC certified system. As stated earlier, once an unlock is done to install updates, the certification is not valid any more.
    1. cat set_state_to_CC
    umask 027
    unset PATH
    export PATH=/usr/bin:/etc:/usr/sbin:/sbin:/usr/ucb
    1. ignore signals to prevent inconsistent state
    trap "" INT HUP TERM QUIT EXIT
    #modify the ODM state
    odmchange -o PdAt -q "attribute=TCB_STATE" odm_back.data
    #execute evalify for CC
    /usr/lib/security/CC_EVALify.sh
    #update TCB database for any system updates
    tcbck -p ALL
    #
    Whenever the system needs to be updated to the next ML, the above described 3-step procedure should be followed.
    #AIX-Forum


Related Content